A method, system and computer-usable medium are disclosed for identifying risk within an information technology (IT) environment, comprising: analyzing characteristics of a user accessing a system within an IT environment; associating a risk profile with the user based upon the characteristics of the user; determining when the user accesses a system within the IT environment; maintaining a user risk profile record of all systems within the IT environment accessed by the user, the user risk profile record continuing to be associated with the system after access by the user ceases; and, identifying a risk level for all systems within the IT environment based upon the user risk profile record.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A system comprising: a processor; a data bus coupled to the processor; and a computer-usable medium embodying computer program code, the computer-usable medium being coupled to the data bus, the computer program code used for identifying risk within an information technology (IT) environment and comprising instructions executable by the processor and configured for: collecting data regarding user activities from a plurality of user activity data sources, the collecting data being provided to a user activity profiler from a security intelligence system via predefined user activity profile application program interfaces; storing the data regarding the user activities within a user activity data repository; analyzing characteristics of a user accessing a system within an IT environment, the IT environment comprising a plurality of systems, the characteristics of the user being related to the user activities and information relating to activity behavioral groups based upon the user activities; associating a risk profile with the user based upon the characteristics of the user; determining when the user accesses a system within the IT environment; maintaining a user risk profile record of all systems of the plurality of systems within the IT environment accessed by the user, the user risk profile record continuing to be associated with the user after access by the user ceases; and, identifying a risk level for the plurality of systems within the IT environment based upon the user risk profile record; and wherein specific suspicious user activity is identified based on external threat feeds and analysis; and, information regarding the specific suspicious user activity is presented to an organization and to individual users with regard to risk assessments, observed suspicious activities and general education of what is affecting risk with respect to the organization and individual users.
A system for identifying risk in an IT environment comprises a processor and a memory storing instructions. The instructions collect user activity data from multiple sources, using APIs from a security intelligence system, and store this data in a repository. The system analyzes characteristics of users accessing systems within the IT environment, which includes behavioral groups based on user activities. It associates a risk profile with each user and determines when a user accesses a system. A user risk profile record tracks systems accessed, even after the user's access ends. The system identifies a risk level for systems based on these records, and identifies specific suspicious activity based on external threat data. Finally, risk assessments and observed suspicious activities are presented to the organization and individual users, educating them about risk factors.
2. The system of claim 1 , wherein: the analyzing characteristics of the user accessing the system comprise modelling the user activities via a collection of data from the plurality of user activity data sources.
Building upon the risk identification system, the analysis of user characteristics involves modeling user activities by collecting data from multiple user activity data sources. This modelling component creates a behavioral baseline for each user by aggregating diverse datasets related to application usage, file access patterns, network traffic, and authentication logs. Anomaly detection algorithms are applied to identify deviations from this baseline, which may then be flagged as potentially risky behavior. Data sources for analysis can include security information and event management systems (SIEMs) and data loss prevention (DLP) systems.
3. The system of claim 1 , wherein: activity behavioral groups are constructed on a global perspective based upon the user activities of a plurality of users.
Building upon the risk identification system, activity behavioral groups are constructed from a global perspective based on the user activities of many users. These groups represent common activity patterns across the entire user base, allowing the system to identify behaviors that are typical, atypical, or potentially malicious relative to the broader organization. Machine learning techniques such as clustering are used to identify these groups and associated activities. By comparing an individual user's activity against these global groups, the system can detect deviations that might indicate insider threats or compromised accounts.
4. The system of claim 1 , wherein: activity behavioral groups are constructed on an individual perspective based upon user activities of a single user.
Building upon the risk identification system, activity behavioral groups are constructed from an individual perspective based on user activities of a single user. The system establishes a baseline of normal activity for each specific user, allowing for personalized anomaly detection. This approach is particularly useful for identifying subtle changes in behavior that may not be apparent when comparing a user to global activity patterns. The individual perspective is continuously updated with new activity data, ensuring the baseline remains relevant. Deviations from this individual baseline are flagged as potentially risky.
5. The system of claim 1 , wherein: user activity is associated with one or more user activity attributes, the user activity comprising browsing habits and system access behavior; and user activities are dynamically clustered depending on a user activity.
Building upon the risk identification system, user activity is associated with attributes such as browsing habits and system access behavior. These activities are dynamically clustered based on the activity itself. For example, activities like accessing sensitive data outside of normal working hours or downloading large files from unusual locations are associated with specific attributes. The system employs dynamic clustering algorithms to group similar activities together, enabling more precise risk assessment and identifying emerging threat patterns. These patterns are also updated automatically by machine learning modules.
6. A non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions configured for: collecting data regarding user activities from a plurality of user activity data sources, the collecting data being provided to a user activity profiler from a security intelligence system via predefined user activity profile application program interfaces; storing the data regarding the user activities within a user activity data repository; analyzing characteristics of a user accessing a system within an information technology (IT) environment, the IT environment comprising a plurality of systems, the characteristics of the user being related to the user activities and information relating to activity behavioral groups based upon the user activities; associating a risk profile with the user based upon the characteristics of the user; determining when the user accesses a system of the plurality of systems within the IT environment; maintaining a user risk profile record of all systems within the IT environment accessed by the user, the user risk profile record continuing to be associated with the user after access by the user ceases; and, identifying a risk level for the plurality of systems within the IT environment based upon the user risk profile record; and wherein specific suspicious user activity is identified based on external threat feeds and analysis; and, information regarding the specific suspicious user activity is presented to an organization and to individual users with regard to risk assessments, observed suspicious activities and general education of what is affecting risk with respect to the organization and individual users.
A computer-readable storage medium contains instructions for identifying risk in an IT environment. The instructions collect user activity data from multiple sources, using APIs from a security intelligence system, and store this data in a repository. The instructions analyze characteristics of users accessing systems within the IT environment, which includes behavioral groups based on user activities. It associates a risk profile with each user and determines when a user accesses a system. A user risk profile record tracks systems accessed, even after the user's access ends. The instructions identify a risk level for systems based on these records, and identify specific suspicious activity based on external threat data. Finally, risk assessments and observed suspicious activities are presented to the organization and individual users, educating them about risk factors.
7. The non-transitory, computer-readable storage medium of claim 6 , wherein: the analyzing characteristics of the user accessing the system comprise modelling the user activities via a collection of data from the plurality of user activity data sources.
Building upon the computer-readable storage medium for risk identification, the analysis of user characteristics involves modeling user activities by collecting data from multiple user activity data sources. This modelling component creates a behavioral baseline for each user by aggregating diverse datasets related to application usage, file access patterns, network traffic, and authentication logs. Anomaly detection algorithms are applied to identify deviations from this baseline, which may then be flagged as potentially risky behavior. Data sources for analysis can include security information and event management systems (SIEMs) and data loss prevention (DLP) systems.
8. The non-transitory, computer-readable storage medium of claim 6 , wherein: activity behavioral groups are constructed on a global perspective based upon the user activities of a plurality of users.
Building upon the computer-readable storage medium for risk identification, activity behavioral groups are constructed from a global perspective based on the user activities of many users. These groups represent common activity patterns across the entire user base, allowing the system to identify behaviors that are typical, atypical, or potentially malicious relative to the broader organization. Machine learning techniques such as clustering are used to identify these groups and associated activities. By comparing an individual user's activity against these global groups, the system can detect deviations that might indicate insider threats or compromised accounts.
9. The non-transitory, computer-readable storage medium of claim 6 , wherein: activity behavioral groups are constructed on an individual perspective based upon user activities of a single user.
Building upon the computer-readable storage medium for risk identification, activity behavioral groups are constructed from an individual perspective based on user activities of a single user. The instructions establish a baseline of normal activity for each specific user, allowing for personalized anomaly detection. This approach is particularly useful for identifying subtle changes in behavior that may not be apparent when comparing a user to global activity patterns. The individual perspective is continuously updated with new activity data, ensuring the baseline remains relevant. Deviations from this individual baseline are flagged as potentially risky.
10. The non-transitory, computer-readable storage medium of claim 6 , wherein: user activity is associated with one or more user activity attributes, the user activity comprising browsing habits and system access behavior; and user activities are dynamically clustered depending on a user activity.
Building upon the computer-readable storage medium for risk identification, user activity is associated with attributes such as browsing habits and system access behavior. These activities are dynamically clustered based on the activity itself. For example, activities like accessing sensitive data outside of normal working hours or downloading large files from unusual locations are associated with specific attributes. The instructions employ dynamic clustering algorithms to group similar activities together, enabling more precise risk assessment and identifying emerging threat patterns. These patterns are also updated automatically by machine learning modules.
11. The non-transitory, computer-readable storage medium of claim 6 , wherein the computer executable instructions are deployable to a client system from a server system at a remote location.
Building upon the computer-readable storage medium for risk identification, the instructions are deployable to a client system from a server system at a remote location. This feature supports remote installation, updates, and maintenance of the risk identification software. The client system downloads the instructions from the server, allowing for centralized management and deployment across a distributed network. This is particularly relevant for cloud-based deployments.
12. The non-transitory, computer-readable storage medium of claim 6 , wherein the computer executable instructions are provided by a service provider to a user on an on-demand basis.
Building upon the computer-readable storage medium for risk identification, the instructions are provided by a service provider to a user on an on-demand basis. This allows users to access the risk identification system as a service, without the need for local installation or infrastructure management. The service provider handles all aspects of the system, including data storage, processing, and updates, enabling users to benefit from the functionality through a subscription-based model or pay-per-use arrangement.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
November 30, 2015
March 28, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.